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1 JUL 1980 


MEMORANDUM FOR: See Distribution 


FROM: 
Chief, Information Services Staff, DDA 

SUBJECT: Evaluation of the Agency's Information Security 
Program by the Information Security Oversight 
Office 


1. For your information, attached is the latest evaluation 
of the Agency's information security program by the Information 
Security Oversight Office. 


Z. You will note the generally favorable findings in section 
IV. The recommendations for improvement in section VI will be the 
subject of a Headquarters notice. 


3. I would like to thank each of the participants for their 
fine effort during this inspection. 


STATINTL 
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by the Information Security Oversight Office 


Distribution: 
Deputy to the DCI for Collection Tasking 
Deputy to the DCI for Resource Management 
5 Director, National Foreign Assessment Center 
re Deputy Director for Operations 
: Deputy Director for Science and Technology 
Comptroller 
General Counsel 
Inspector General 
Legislative Counsel 
Director of Personnel, Policy, Planning, and Management 
Director of Public Affairs 
Director, Equal. Employment Opportunity 
Executive Secretary 
Director of Communications 
Director of Data Processing 
Director of Finance 
Director of Logistics 
Director of Medical Services 
Director of Security 
Director of Training 
Chief, Classification Review Division 
Chief, Information and Privacy Division 
Chief, Regulations Control Division 


Approved For Release 2001/11/08 : CIA-RDP85B00236R000200150024-1 a 


“G Noe say Information Security 
SK he 5 moecSinned 20647 FING" CIA-RDP85B00236B000200150024-1 
UN A iNaelase 20 Office Washington, DC 20405 


AUN 12 1980 


Mr. Don I. Wortman 

Deputy Director for Administration 
Central Intelligence Agency 
Washington, D. C. 20505 


Dear Mr. Wortman: 


The Information Security Oversight Office (ISO0), established under 
Executive Order 12065, is responsible for monitoring Executive 
Branch agencies and their actions to implement the provisions of 

the Order. In compliance with Section 5-2 of the Order, ISOO 
analysts, during the period April 21-25, 1980, conducted an on-site 
review of the information security program within nine offices of 
the Central Intelligence Agency (CIA) to determine the effectiveness 
and degree of compliance with the Order. The last review had been 
conducted on March 11, 1980. 


Our inspection report, a copy of which is attached, indicates that 
the CIA continues to implement and comply with the Order in a 
highly commendable manner. Your continued support of the program 
is appreciated. Section VI of the report does contain three 

Speci ese. eocommenda bons for ae ve Ane eoeney peo 


I appreciate the courtesy and support provided by the officials 
who met with members of my staff. 


Sincerely, 


uenan ee 
Director 


Enclosure 
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INFORMATION SECURITY OVERSIGHT OFFICE 
INSPECTION OF THE CENTRAL INTELLIGENCE AGENCY 


PURPOSE. To review the Central Intelligence Agency (CIA) 
information security program; to determine progress in 
implementing Executive Order 12065 and Information Security 
Oversight Office (ISOO) Directive No. 1; and to conduct a 
review of classified information generated by CIA. 


AUTHORITY. Sections 5-202(a) and (h) of Executive Order 


12065. 


GENERAL. Mr. John Cornett and Mr. Harold Mason, ISOO staff 


analysts, conducted a review of the CIA information security 
program during the period of April 21-25, 1980. The 
following areas were subject to inspection: 


Office, Director of Central Intelligence (O/DCI), Executive 
Registry 


Office, Director of Central Intelligence, Office of 
General Counsel (0/DCI/0GC) 


Deputy Director for Science and Technology, National 
Photographic Interpretation Center (DDS & T/NPIC) 


NFAC/Office of Imagery Analysis 


Deputy Director for Administration, Office of Security, 
Special Security Center (DDA/OS/SSC) 


Deputy Director for Administration, Office of Security, 
Information Systems Security Group (DDA/OS/ISSG) 


Deputy’ Director for Administration, Office of Communications 
(DDA/OC) 


Deputy Director for Operations (DDO), IMS/Freedom, Privacy 
and Litigation Group 


Deputy Director for Operations (DDO), Area Branch 


FINDINGS 


A. Status of Implementation. Throughout the CIA, there 


is consistency in marking, safeguarding, classification 
and general compliance with the provisions of Executive 
Order 12065. This is attributable to (1) an excellent 
central training program that is provided to all 
personnel, including the secretarial staff, who work 


Approved For Release 2001/11/08 : CIA-RDP85B00236R000200150024-1 


Approved Forngélease 2001/11/08 : CIA-RDP85B0022g2000200150024-1 


with or are required to meet any provisions of the 
Order; (2) the preparation of specialized classi- 
fication guides for each Directorate; and (3) the 
mandates levied on the CIA under the National 
Security Act of 1947 supplemented by the Central 
Intelligence Agency Act of 1949 and other programs 
that prescribe the requirements for the protection 
of intelligence activities, sources and methods and 
other sensitive information. Results of the in- 
spection indicated that personnel had an excellent 
understanding of and were in compliance with the 


Order. 
Is Classification. 
ae Classification Guides. Each Directorate 


within the CIA utilizes a classification 
guide oriented towards its particular 

area of operations. The CIA is unique 

among agencies in the manner in which it 
utilizes classification guides; in addition 
to identifying the guide, they also 

identify the section in which the particular 
subject is located; the person who deriva- 
tively classified the document; the date 

for review or declassification; and the 
reason for extension, when extended. When 
the guide and section are shown, the ISOO 
inspectors are able to conduct an audit 
trail in a minimal period of time. Most 
agencies simply cite the identification 

of the guide. Also, in some offices visited, 
if more than one section of the guide is 
used, they identify the guide and section 
after each paragraph and mark "multiple 
source" in the "derived from" section of the 
stamped marking. 


Most guides used in DDS&T/NPIC are published 
by the Committee on Imagery Exploitation 
(COMIREX). Caveats for markings, other than 
those prescribed in the Order, are established 
in the Director of Central Intelligence 
Directive (DCID) 1/7. 


Each Directorate had developed classification 
guides concurrent with the effective date of 
the Order. The Records Management Division 
has now completed a draft of a classification 
guide covering general topics of interest to 
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all Directorates. A review of the guide 
indicated it was the result of much 

thought and research. As a "general subjects" 
guide it is possibly the first of its 

type. Target date for formal publication 

is December 1980. 


Use of Derivative Classification. The CIA 

is one of the few agencies which identifies 
personnel authorized to derivatively classify 
information. Again, through this procedure 
the analysts were able to determine which 
person was responsible for derivatively 
classifying the document and then question 
him on the justification for his decision. 


Original Classification. Since most subjects 
are covered in classification guides, the 


number of originally classified decisions is 
only approximately 15 percent of all CIA 
actions. As a general rule, if a subject is 
not covered in a classification guide, then 
it is recorded as an original classification 
decision. 


Document Review. 


Results of the document: review indicated 
that the majority of documents were classi- 
fied at the Secret level with an established 
review date of 20 years. This was.attribut- 
able to the subject matter and sensitivity 

of the information involved. Normally, 
throughout the agency, the number of original 
classification decisions are 2 percent at the 
Top Secret level, 20 percent Secret and 78 
percent Confidential. Approximately 90 
percent of the documents extended beyond 20 
years are at the Confidential level. 


In one instance, a document reviewed in the 
O/DCI/OGC was marked SECRET-SENSITIVE. 
However, the document did not originate in 
that office. During a visit to another 
agency, an official interviewed stated that 
he had been in recéipt of. documents with 
this marking. 


In two instances, documents were marked 
"entire text classified Secret." The 
reviewers contended that they could have 
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been portion marked and 1 or 2 paragraphs 


marked Confidential or unclassified. The 
persons interviewed agreed with the analysts' 
decision. 


d. Within DDA/OC, all portions of their documents 
were properly marked with the level of classi- 
fication. In addition, each portion also 
included reference to the section in the 
guide even though each involved the same 
section. Although this practice is not a 
violation of the Order, the ISOO reviewers 
contend that it is not necessary and creates 
an additional burden on the classifiers. 


e. In a few instances, subjects were not portion 
marked. 
£. Some documents were prepared on paper with 


pre-printed classification markings that 
resulted in the classification being in 
type smaller than that of the text. 


Safeguarding. In DDA/OS/ISSG, logs are maintained 
for all Top Secret documents provided to other 
agencies. However, audit trails are not conducted 
by CIA to determine the status of the documents. 
Instead, they rely upon audit trails that are 
conducted by the recipient agency Top Secret 
Control Officer. The CIA Office of Security does 
conduct inspections of agencies that receive their 
material to make certain that proper safeguarding 
practices are observed. 


Declassification. The ISOO analysts received an 
excellent briefing from the DDO/IMS/Freedom, 
Privacy and Litigation Group. They explained 

the magnitude of the operation involved in a 
Freedom of Information, Privacy Act or Mandatory 
Review request. Many requests involve thousands 
of pages, with each request encompassing tremendous 
coordination, record keeping, review, litigation 
and liaison activity between agencies. Many 
personnel and hours are required for each request. 
Since all the documents in this office predated 

E. O. 12065, no review was conducted. Other 
aspects of the CIA mandatory and systematic review 
program have been discussed in prior reports, 


Initial requests for classified documents under the 
Freedom of Information Act (FOIA) or Privacy Act, 
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and appeals to denials of these requests, are not 
subject to immediate formal classification review. 
However, each document is reviewed to determine 
if it can be sanitized or released in its entirety. 
If it is determined that the document can not be 
released in whole or in part, then it is further 
reviewed to determine if it meets the exemptions 
for denial under the FOIA or Privacy Act. In the 
event a case goes to litigation, then a formal 
classification review is conducted. The document 
is then provided to each component with subject 
matter interest where a line-by-line review is 
conducted to determine if any portion of the 
document can be released. The document is sent 
to the Office of the General Counsel for final 
review and evaluation. 


In the case of mandatory review requests under 
Executive Order 12065, a formal classification 
review is immediate. The document is submitted 
directly to the component with subject matter 
interest and reviewed for possible declassification 
Or Sanitation. The proposed legislation to 
partially exempt the agency from the FOIA is not - 
expected to reduce their work load in this area. 


CONCLUSION. Personnel interviewed were extremely cooperative 
with the ISOO analysts; their briefings were open and frank, 
consistent with the sensitivity of the information. 


RECOMMENDATIONS. Based upon the results of the survey, 
the ISOO analysts recommend that the CIA: 


Lis Discontinue the practice of using SECRET-SENSITIVE on 
documents. 


2. Use the statement "entire text" sparingly, and only 
when the entire text warrants the same level of 
classification. 


3. Inform individuals who apply portion markings that 


subject classification is included in their marking 
requirements. 
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